This software will gather notepad.exe tab cache data and print it to standard output in json format.
There are a few work-arounds included until the code can be updated. If you’ve additions feel free to fork and open a pull request.
Notepad keeps a cache of open tabs, meaning it remembers which files or documents you have open in the editor even if you close Notepad and reopen it later. This allows you to quickly resume working on the same files without having to navigate to them again.
This video by John Hammond will explain some details about this artifact.
Another analysis made by ribcatcher on the issue tracker of a similar project in Rust:
I decided to take the approach of repeatedly opening and closing notepad and trying to see what data persisted and what was lost between sessions. All that data must be part of the tab "state" and therefore, must be somewhere in these tab-state files.
To be honest, Reading this a second time, I don't think the info here is that helpful, but it should help someone working on this get a head start. Take everything here with a tub of salt - I'm a uni student and have 0.00 years of professional experience.
OBSERVATION #1
Steps:
Create a new file and save it.
Load up the saved file in notepad and edit it
DO NOT SAVE the edits and close notepad. Reopen notepad to verify that the edits were cached (They were). Then close notepad
Open the file in a second editor and add some text. Save the file.
Reopen the file in notepad and navigate to the tab with the unsaved data.
Notepad notices that the file on disks has edits newer than the cached edits in notepad.
Therefore:
Notepad (probably) saves the hash of the file on disk + time of last edit as well as the hash of the cached edits and their timestamps. That could be the garbled data before and after the contents.
I believe that the garbled data in between the delimiters and the data after the end of contents must be some form of hashes + timestamp. Perhaps the timestamp of the edits + the timestamp of the last edits and the hash + timestamp of the file on disk.
I was curious about the 0.bin and .1.bin files, since they are considerably smaller but still follow the same format somewhat (see point 7), I decided to focus a bit on those. I decided to do some tests
OBSERVATION #2:
Create a file
Open it in notepad and see the cache. One file with a UUID is made.
Close the file, we see .0.bin and .1.bin pop into existence.
We also see that .1.bin is empty (Zero bytes).
Reopen the file in notepad. This usually makes a second (newer) tab. Close that tab so that the original tab is in view.
Now close the file without making any edits in the tab.
.1.bin is populated! Moreover, we see the same pattern (01 00 00 00) in the .1.bin file - followed by some garbled data.
Now repeat steps 5 through 7.
We see that the end of .1.bin has changed.
If I repeat 5-7 a second time, we see that .1.bin doesn't change, but .0.bin does? Concluding, it seems notepad stores session data alternatively, once in .0.bin and once in .1.bin. The initial session populates .0.bin, the next populates .1.bin, and back and forth.
Also, if you notice, notepad preserves cursor position between sessions, I assume that too, must be stored somewhere in those files or the main one. They're clearly a complete "Tab state" that has all the necessary info to recreate a notepad tab, including where the cursor was, etc.
OBSERVATION #3:
While notepad, was open, I tried adding more data to the file. What I noticed was the new data was added as XXXX appended onto the end of the original file content.
<original-file-contents> <garble> <byte 1 of new data> <8 bytes of garble> <byte 2 of new data> <8 bytes of garble> <another byte of new data>
.... (Or I guess, if it was UTF-16, 7 bytes of garble and two bytes of new data and so on... - which seems more accurate)
Pressing Ctrl+S to save immediately purges this garble garble and turns it into the same format that John saw in his video for a closed session.
Another curious thing I noticed was that while every action done caused a change in the file, curiously, notepad does not seem to have a REDO function. Or atleast, it isn't mapped to ctrl+shift+z.
Another, more curious thing is that "undo" seems to revert the entire file to its original state as saved. Discarding all new data in one step...
So I experimented with this some more. What seems to happen is that all actions taken in notepad get appended to the end of the bin file. Ex. Undo gets appended as 14 05 00 99 19 26 FB thats then cleared when the file is saved.
Adding onto the theory that everything in the file while notepad is open is an action, and not data to be stored: If you paste text in an open window, the pasted text is visible in hex in one coherent, UTF-16 encoded block.
I got kinda fatigued at this point at it was getting late, but I hope whoever reads this gets a bit of a head start!The best method for eradicating this tab cache data is to securely erase the files located here:
self.environ_path = os.environ['LOCALAPPDATA']
self.np_cache_path = "Packages\\Microsoft.WindowsNotepad_8wekyb3d8bbwe\\LocalState\\TabState\\"
self.np_cache_path_full = os.path.join(self.environ_path, self.np_cache_path)